Microsoft’s MS14-068 update fixes a vulnerability in Windows Kerberos implementations that allows attackers to elevate any domain user privileges to administrator privileges. Microsoft has warned that the exploit has been found in the wild deemed the patch “critical.” The company advises system administrators to immediately install it.

If an attacker were to have valid domain credentials, he could exploit the vulnerability (CVE-2014-6324) to elevate his privileges and compromise any computer in the domain, including domain controllers.

The vulnerability exploits the way Windows Kerberos validates the Privilege Attribute Certificate (PAC) in the Kerberos tickets. If an attacker can forge a PAC and get the Kerberos KDC (Key Distribution Center) to incorrectly validate it, he can elevate his system privileges to Admin and perform any changes to the domain. This will give him a permanent foothold lasting long after the patch has been installed and forcing administrators to perform a complete domain rebuild to remediate any issues.

The Microsoft patch corrects the signature verification in Windows implementations of Kerberos, plugging the issue.

Domain controllers running Windows Server 2008R2 and below are exposed to the vulnerability, but Microsoft warns that domain controllers running 2012 and above are also exposed. Although significantly more difficult to exploit, they are still exposed to a related attack.

A “defense-in-depth” update will also be released for Windows Vista, Windows 7, Windows 8 and Windows 8.1, although they have not been deemed vulnerable.

Administrators are advised to collect event logs from domain controllers to identify possible signs of intrusions. Post update, attempts at exploiting the vulnerability can be identified by using the 4769 Kerberos Service Ticket Operation event log. Setting it to only log failures that result in “Failed Code: 0xf” will significantly increase changes of catching exploitation events. Although there’s a small chance of non-malicious behavior, in most cases it’s a clear sign of intrusion attempts.

For more information about the Microsoft MS14-068 patch and affected systems, please refer to the embedded link.